Code: Select all
OpenVPN 2.5.3 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10
The client config and server conf files both have these lines at the top:
Code: Select all
user nobody
group nogroup
dev tun
..
..
I see in the OpenVPN manual that the --user option lets you:
"Change the user ID of the OpenVPN process to user after initialization, dropping privileges in the process. This option is useful to protect the system in the event that some hostile party was able to gain control of an OpenVPN session."
I can connect from the Android client to OpenVPN server by commenting out those two lines but is there a way to obtain the benefit of running as user "nobody" and group "nogroup", or some such unpriviledged user, when connecting to OpenVPN server on OpenWrt from an Android phone? From a Terminal to my phones Android OS if I do ls -l I can see user and group of all files is: u0_a252 so should I make a user an group of u0_a252 on the server running OpenVPN and then use that as the user and group inyou are dropping root privileges on the client with --user and/or --group the client and server config files? My phone is not rooted so I guess running as user u0_a252 will be the same thing as running OpenVPN unpriviledged?
Lastly do I NEED to define a user AND a group or is one or the other enough? The OpenVPN manual is a bit ambiguous on this point because it also states: "[if] you are dropping root privileges on the client with --user and/or --group.."
Cheers,
Flex